Console
    Contact Us Start free

    Testing Event Threat Detection

    Verify that Event Threat Detection is working by intentionally triggering the IAM Anomalous Grant detector and checking for findings.

    Event Threat Detection is a built-in service that monitors your organization's Cloud Logging and Google Workspace logging streams and detects threats in near-real time. To learn more, read Event Threat Detection overview .

    Before you begin

    To view Event Threat Detection findings, the service must be enabled in Security Command Center Services settings.

    To complete this guide, you must have an Identity and Access Management (IAM) role with the resourcemanager.projects.setIamPolicy permission, like the Project IAM Admin role.

    Testing Event Threat Detection

    To test Event Threat Detection, you create a test user, grant permissions, and then view the finding in the Google Cloud console and in Cloud Logging.

    Step 1: Creating a test user

    To trigger the detector, you need a test user with a gmail.com email address. You can create a gmail.com account and then grant it access to the project where you want to perform the test. Make sure that this gmail.com account doesn't already have any IAM permissions in the project where you are performing the test.

    Step 2: Triggering the IAM Anomalous Grant detector

    Trigger the IAM Anomalous Grant detector by inviting the gmail.com email address to the Project Owner role.

    1. Go to the IAM & Admin page in the Google Cloud console.
      Go to the IAM & Admin page
    2. On the IAM & Adminpage, click Add.
    3. In the Add principalswindow, under New principals, enter the test user's gmail.com address.
    4. Under Select a role, select Project > Owner.
    5. Click Save.

    Next, you verify that the IAM Anomalous Grant detector has written a finding.

    Step 3: Viewing the finding in Security Command Center

    To view the Event Threat Detection finding in Security Command Center:

    1. Go to the Security Command Center Findingspage in the Google Cloud console.

      Go to Findings

    2. In the Categorysection of the Quick filterspanel, select Persistence: IAM anomalous grant. If necessary, click View moreto find it. The Findings query resultspanel updates to show only the selected finding category.

    3. To sort the list in the Findings query resultspanel, click the Event timecolumn header so that the most recent finding displays first.

    4. In the Findings query resultspanel, display the details of the finding by clicking Persistence: IAM Anomalous Grantin the Categorycolumn. The details panel for the finding opens and displays the Summarytab.

    5. Check the value on the Principal emailrow. It should be the test gmail.com email address that you granted ownership to.

    If a finding doesn't appear that matches your test gmail.com account, verify your Event Threat Detection settings.

    Step 4: Viewing the finding in Cloud Logging

    If you enabled logging findings to Cloud Logging, you can view the finding there. Viewing logging findings in Cloud Logging is only available if you activate Security Command Center Premium tier at the organization level.

    1. Go to Logs Explorerin the Google Cloud console.

      Go to Logs Explorer

    2. Select the Google Cloud project where you are storing your Event Threat Detection logs.

    3. Use the Querypane to build your query in one of the following ways:

      • In the All resourceslist, do the following:
        1. Select Threat Detectorto display a list of all the detectors.
        2. Under DETECTOR_NAME, select iam_anomalous_grant.
        3. Click Apply. The Query resultstable is updated with the logs you selected.

      • Enter the following query in the query editor and click Run query:

        resource.type = 
 "threat_detector"

        The Query resultstable is updated with the logs you selected.

    4. To view a log, click a table row, and then click Expand nested fields.

    If you don't see a finding for the IAM Anomalous Grant rule, verify your Event Threat Detection settings.

    Clean up

    When you're finished testing, remove the test user from the project.

    1. Go to the IAM & Admin page in the Google Cloud console.
      Go to the IAM & Admin page
    2. Next to the test user's gmail.com address, click Edit.
    3. On the Edit permissionspanel that appears, click Deletefor all roles granted to the test user.
    4. Click Save.

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: